I thought of it but at the time I hadn't
thought of using location.hash so It would
have been to much ASCII/I couldn't use /'s before
that, I will include a remote js file to do it
if it works...
EDIT:
I came up with the idea of using AJAX as soon as
I found the XSS as you can see from my site:
http://null-byt3.co.uk/memberxarea/viewtopic.php?p=223
EDIT 2:
I have also been working on a script to grab
local/remote files before finding the XSS so
I will put it to use and tell you what happens..

This and a number of other XSS etc have already been reported to kde.org as part of a research paper I wrote called Kreating havoK. IO slaves are interesting, I would suggest people go play with them. The first result of my fuzzing them was http://trolltech.com/company/newsroom/announcements/press.2007-07-27.7503755960 but expect more issues to come soon. We reported on the 11th July 2007.

The paper will be published when we've finished chatting with the KDE folk. I'll probably make the fuzzer available too, since IO slaves vary on different installs.. My default Debian install has around 60 to play with, but there are many more. We found multiple XSS points (both in URL and reflected from remote services), directory traversal, a format string vulnerability amongst other things all in a short space of time but I'm willing to bet there is more to find. As I say, go play. It's as much fun as Firefox :).

I'm looking forward to it, I don't have that much time to toy with it myself. It would be a great learning curve to read the paper since this stuff isn't very well documented or written about, so do drop a note when it's time please ^^